1. Packages
  2. Aquasec
  3. API Docs
  4. EnforcerGroups
Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

aquasec.EnforcerGroups

Explore with Pulumi AI

aquasec logo
Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aquasec = Pulumiverse.Aquasec;
    
    return await Deployment.RunAsync(() => 
    {
        var @group = new Aquasec.EnforcerGroups("group", new()
        {
            AntivirusProtection = true,
            ContainerActivityProtection = true,
            ContainerAntivirusProtection = true,
            Enforce = true,
            Forensics = true,
            GroupId = "tf-test-enforcer",
            HostAssurance = true,
            HostForensics = true,
            HostNetworkProtection = true,
            HostProtection = true,
            ImageAssurance = true,
            NetworkProtection = true,
            Orchestrators = new[]
            {
                null,
            },
            RiskExplorerAutoDiscovery = true,
            SyncHostImages = true,
            Type = "agent",
        });
    
        var group_kubeEnforcer = new Aquasec.EnforcerGroups("group-kubeEnforcer", new()
        {
            AdmissionControl = true,
            AutoCopySecrets = true,
            AutoDiscoverConfigureRegistries = true,
            AutoDiscoveryEnabled = true,
            AutoScanDiscoveredImagesRunningContainers = true,
            BlockAdmissionControl = true,
            Enforce = true,
            GroupId = "tf-test-kube_enforcer",
            KubeBenchImageName = "registry.aquasec.com/kube-bench:v0.6.5",
            MicroEnforcerSecretsName = "aqua-registry",
            Orchestrators = new[]
            {
                new Aquasec.Inputs.EnforcerGroupsOrchestratorArgs
                {
                    Namespace = "aqua",
                    Type = "kubernetes",
                },
            },
            Type = "kube_enforcer",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := aquasec.NewEnforcerGroups(ctx, "group", &aquasec.EnforcerGroupsArgs{
    			AntivirusProtection:          pulumi.Bool(true),
    			ContainerActivityProtection:  pulumi.Bool(true),
    			ContainerAntivirusProtection: pulumi.Bool(true),
    			Enforce:                      pulumi.Bool(true),
    			Forensics:                    pulumi.Bool(true),
    			GroupId:                      pulumi.String("tf-test-enforcer"),
    			HostAssurance:                pulumi.Bool(true),
    			HostForensics:                pulumi.Bool(true),
    			HostNetworkProtection:        pulumi.Bool(true),
    			HostProtection:               pulumi.Bool(true),
    			ImageAssurance:               pulumi.Bool(true),
    			NetworkProtection:            pulumi.Bool(true),
    			Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
    				nil,
    			},
    			RiskExplorerAutoDiscovery: pulumi.Bool(true),
    			SyncHostImages:            pulumi.Bool(true),
    			Type:                      pulumi.String("agent"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = aquasec.NewEnforcerGroups(ctx, "group-kubeEnforcer", &aquasec.EnforcerGroupsArgs{
    			AdmissionControl:                          pulumi.Bool(true),
    			AutoCopySecrets:                           pulumi.Bool(true),
    			AutoDiscoverConfigureRegistries:           pulumi.Bool(true),
    			AutoDiscoveryEnabled:                      pulumi.Bool(true),
    			AutoScanDiscoveredImagesRunningContainers: pulumi.Bool(true),
    			BlockAdmissionControl:                     pulumi.Bool(true),
    			Enforce:                                   pulumi.Bool(true),
    			GroupId:                                   pulumi.String("tf-test-kube_enforcer"),
    			KubeBenchImageName:                        pulumi.String("registry.aquasec.com/kube-bench:v0.6.5"),
    			MicroEnforcerSecretsName:                  pulumi.String("aqua-registry"),
    			Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
    				&aquasec.EnforcerGroupsOrchestratorArgs{
    					Namespace: pulumi.String("aqua"),
    					Type:      pulumi.String("kubernetes"),
    				},
    			},
    			Type: pulumi.String("kube_enforcer"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aquasec.EnforcerGroups;
    import com.pulumi.aquasec.EnforcerGroupsArgs;
    import com.pulumi.aquasec.inputs.EnforcerGroupsOrchestratorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var group = new EnforcerGroups("group", EnforcerGroupsArgs.builder()        
                .antivirusProtection(true)
                .containerActivityProtection(true)
                .containerAntivirusProtection(true)
                .enforce(true)
                .forensics(true)
                .groupId("tf-test-enforcer")
                .hostAssurance(true)
                .hostForensics(true)
                .hostNetworkProtection(true)
                .hostProtection(true)
                .imageAssurance(true)
                .networkProtection(true)
                .orchestrators()
                .riskExplorerAutoDiscovery(true)
                .syncHostImages(true)
                .type("agent")
                .build());
    
            var group_kubeEnforcer = new EnforcerGroups("group-kubeEnforcer", EnforcerGroupsArgs.builder()        
                .admissionControl(true)
                .autoCopySecrets(true)
                .autoDiscoverConfigureRegistries(true)
                .autoDiscoveryEnabled(true)
                .autoScanDiscoveredImagesRunningContainers(true)
                .blockAdmissionControl(true)
                .enforce(true)
                .groupId("tf-test-kube_enforcer")
                .kubeBenchImageName("registry.aquasec.com/kube-bench:v0.6.5")
                .microEnforcerSecretsName("aqua-registry")
                .orchestrators(EnforcerGroupsOrchestratorArgs.builder()
                    .namespace("aqua")
                    .type("kubernetes")
                    .build())
                .type("kube_enforcer")
                .build());
    
        }
    }
    
    import pulumi
    import pulumiverse_aquasec as aquasec
    
    group = aquasec.EnforcerGroups("group",
        antivirus_protection=True,
        container_activity_protection=True,
        container_antivirus_protection=True,
        enforce=True,
        forensics=True,
        group_id="tf-test-enforcer",
        host_assurance=True,
        host_forensics=True,
        host_network_protection=True,
        host_protection=True,
        image_assurance=True,
        network_protection=True,
        orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs()],
        risk_explorer_auto_discovery=True,
        sync_host_images=True,
        type="agent")
    group_kube_enforcer = aquasec.EnforcerGroups("group-kubeEnforcer",
        admission_control=True,
        auto_copy_secrets=True,
        auto_discover_configure_registries=True,
        auto_discovery_enabled=True,
        auto_scan_discovered_images_running_containers=True,
        block_admission_control=True,
        enforce=True,
        group_id="tf-test-kube_enforcer",
        kube_bench_image_name="registry.aquasec.com/kube-bench:v0.6.5",
        micro_enforcer_secrets_name="aqua-registry",
        orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs(
            namespace="aqua",
            type="kubernetes",
        )],
        type="kube_enforcer")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aquasec from "@pulumiverse/aquasec";
    
    const group = new aquasec.EnforcerGroups("group", {
        antivirusProtection: true,
        containerActivityProtection: true,
        containerAntivirusProtection: true,
        enforce: true,
        forensics: true,
        groupId: "tf-test-enforcer",
        hostAssurance: true,
        hostForensics: true,
        hostNetworkProtection: true,
        hostProtection: true,
        imageAssurance: true,
        networkProtection: true,
        orchestrators: [{}],
        riskExplorerAutoDiscovery: true,
        syncHostImages: true,
        type: "agent",
    });
    const group_kubeEnforcer = new aquasec.EnforcerGroups("group-kubeEnforcer", {
        admissionControl: true,
        autoCopySecrets: true,
        autoDiscoverConfigureRegistries: true,
        autoDiscoveryEnabled: true,
        autoScanDiscoveredImagesRunningContainers: true,
        blockAdmissionControl: true,
        enforce: true,
        groupId: "tf-test-kube_enforcer",
        kubeBenchImageName: "registry.aquasec.com/kube-bench:v0.6.5",
        microEnforcerSecretsName: "aqua-registry",
        orchestrators: [{
            namespace: "aqua",
            type: "kubernetes",
        }],
        type: "kube_enforcer",
    });
    
    resources:
      group:
        type: aquasec:EnforcerGroups
        properties:
          # Advanced Malware Protection (Host Protection)
          antivirusProtection: true
          # Runtime Controls
          containerActivityProtection: true
          # Advanced Malware Protection (Container Protection)
          containerAntivirusProtection: true
          enforce: true
          # forensics
          forensics: true
          groupId: tf-test-enforcer
          # Host Assurance
          hostAssurance: true
          # host_forensics
          hostForensics: true
          # Network Firewall (Host Protection)
          hostNetworkProtection: true
          # Runtime Controls
          hostProtection: true
          # Image Assurance
          imageAssurance: true
          # Network Firewall (Container Protection)
          networkProtection: true
          orchestrators:
            - {}
          # Risk Explorer
          riskExplorerAutoDiscovery: true
          # Host Images
          syncHostImages: true
          type: agent
      group-kubeEnforcer:
        type: aquasec:EnforcerGroups
        properties:
          # Enable admission control
          admissionControl: true
          # Auto copy these secrets to the Pod Enforcer namespace and container
          autoCopySecrets: true
          # Add discovered registries
          autoDiscoverConfigureRegistries: true
          # Enable workload discovery
          autoDiscoveryEnabled: true
          # Register discovered pod images
          autoScanDiscoveredImagesRunningContainers: true
          # Perform admission control if not connected to a gateway
          blockAdmissionControl: true
          enforce: true
          groupId: tf-test-kube_enforcer
          # Kube-bench image path
          kubeBenchImageName: registry.aquasec.com/kube-bench:v0.6.5
          # Secret that holds the registry credentials for the Pod Enforcer and kube-bench
          microEnforcerSecretsName: aqua-registry
          orchestrators:
            - namespace: aqua
              type: kubernetes
          type: kube_enforcer
    

    Create EnforcerGroups Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new EnforcerGroups(name: string, args: EnforcerGroupsArgs, opts?: CustomResourceOptions);
    @overload
    def EnforcerGroups(resource_name: str,
                       args: EnforcerGroupsArgs,
                       opts: Optional[ResourceOptions] = None)
    
    @overload
    def EnforcerGroups(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       group_id: Optional[str] = None,
                       type: Optional[str] = None,
                       orchestrators: Optional[Sequence[EnforcerGroupsOrchestratorArgs]] = None,
                       host_assurance: Optional[bool] = None,
                       risk_explorer_auto_discovery: Optional[bool] = None,
                       antivirus_protection: Optional[bool] = None,
                       audit_all: Optional[bool] = None,
                       auto_copy_secrets: Optional[bool] = None,
                       auto_discover_configure_registries: Optional[bool] = None,
                       host_behavioral_engine: Optional[bool] = None,
                       auto_scan_discovered_images_running_containers: Optional[bool] = None,
                       behavioral_engine: Optional[bool] = None,
                       block_admission_control: Optional[bool] = None,
                       container_activity_protection: Optional[bool] = None,
                       container_antivirus_protection: Optional[bool] = None,
                       description: Optional[str] = None,
                       enforce: Optional[bool] = None,
                       forensics: Optional[bool] = None,
                       gateways: Optional[Sequence[str]] = None,
                       allowed_labels: Optional[Sequence[str]] = None,
                       host_network_protection: Optional[bool] = None,
                       auto_discovery_enabled: Optional[bool] = None,
                       allowed_registries: Optional[Sequence[str]] = None,
                       admission_control: Optional[bool] = None,
                       host_os: Optional[str] = None,
                       host_protection: Optional[bool] = None,
                       host_user_protection: Optional[bool] = None,
                       image_assurance: Optional[bool] = None,
                       kube_bench_image_name: Optional[str] = None,
                       logical_name: Optional[str] = None,
                       micro_enforcer_certs_secrets_name: Optional[str] = None,
                       micro_enforcer_image_name: Optional[str] = None,
                       micro_enforcer_injection: Optional[bool] = None,
                       micro_enforcer_secrets_name: Optional[str] = None,
                       network_protection: Optional[bool] = None,
                       allowed_applications: Optional[Sequence[str]] = None,
                       permission: Optional[str] = None,
                       host_forensics: Optional[bool] = None,
                       runtime_type: Optional[str] = None,
                       sync_host_images: Optional[bool] = None,
                       syscall_enabled: Optional[bool] = None,
                       allow_kube_enforcer_audit: Optional[bool] = None,
                       user_access_control: Optional[bool] = None)
    func NewEnforcerGroups(ctx *Context, name string, args EnforcerGroupsArgs, opts ...ResourceOption) (*EnforcerGroups, error)
    public EnforcerGroups(string name, EnforcerGroupsArgs args, CustomResourceOptions? opts = null)
    public EnforcerGroups(String name, EnforcerGroupsArgs args)
    public EnforcerGroups(String name, EnforcerGroupsArgs args, CustomResourceOptions options)
    
    type: aquasec:EnforcerGroups
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args EnforcerGroupsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args EnforcerGroupsArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args EnforcerGroupsArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args EnforcerGroupsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args EnforcerGroupsArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var enforcerGroupsResource = new Aquasec.EnforcerGroups("enforcerGroupsResource", new()
    {
        GroupId = "string",
        Type = "string",
        Orchestrators = new[]
        {
            new Aquasec.Inputs.EnforcerGroupsOrchestratorArgs
            {
                Master = false,
                Namespace = "string",
                ServiceAccount = "string",
                Type = "string",
            },
        },
        HostAssurance = false,
        RiskExplorerAutoDiscovery = false,
        AntivirusProtection = false,
        AuditAll = false,
        AutoCopySecrets = false,
        AutoDiscoverConfigureRegistries = false,
        HostBehavioralEngine = false,
        AutoScanDiscoveredImagesRunningContainers = false,
        BehavioralEngine = false,
        BlockAdmissionControl = false,
        ContainerActivityProtection = false,
        ContainerAntivirusProtection = false,
        Description = "string",
        Enforce = false,
        Forensics = false,
        Gateways = new[]
        {
            "string",
        },
        AllowedLabels = new[]
        {
            "string",
        },
        HostNetworkProtection = false,
        AutoDiscoveryEnabled = false,
        AllowedRegistries = new[]
        {
            "string",
        },
        AdmissionControl = false,
        HostOs = "string",
        HostProtection = false,
        HostUserProtection = false,
        ImageAssurance = false,
        KubeBenchImageName = "string",
        LogicalName = "string",
        MicroEnforcerCertsSecretsName = "string",
        MicroEnforcerImageName = "string",
        MicroEnforcerInjection = false,
        MicroEnforcerSecretsName = "string",
        NetworkProtection = false,
        AllowedApplications = new[]
        {
            "string",
        },
        Permission = "string",
        HostForensics = false,
        RuntimeType = "string",
        SyncHostImages = false,
        SyscallEnabled = false,
        AllowKubeEnforcerAudit = false,
        UserAccessControl = false,
    });
    
    example, err := aquasec.NewEnforcerGroups(ctx, "enforcerGroupsResource", &aquasec.EnforcerGroupsArgs{
    	GroupId: pulumi.String("string"),
    	Type:    pulumi.String("string"),
    	Orchestrators: aquasec.EnforcerGroupsOrchestratorArray{
    		&aquasec.EnforcerGroupsOrchestratorArgs{
    			Master:         pulumi.Bool(false),
    			Namespace:      pulumi.String("string"),
    			ServiceAccount: pulumi.String("string"),
    			Type:           pulumi.String("string"),
    		},
    	},
    	HostAssurance:                             pulumi.Bool(false),
    	RiskExplorerAutoDiscovery:                 pulumi.Bool(false),
    	AntivirusProtection:                       pulumi.Bool(false),
    	AuditAll:                                  pulumi.Bool(false),
    	AutoCopySecrets:                           pulumi.Bool(false),
    	AutoDiscoverConfigureRegistries:           pulumi.Bool(false),
    	HostBehavioralEngine:                      pulumi.Bool(false),
    	AutoScanDiscoveredImagesRunningContainers: pulumi.Bool(false),
    	BehavioralEngine:                          pulumi.Bool(false),
    	BlockAdmissionControl:                     pulumi.Bool(false),
    	ContainerActivityProtection:               pulumi.Bool(false),
    	ContainerAntivirusProtection:              pulumi.Bool(false),
    	Description:                               pulumi.String("string"),
    	Enforce:                                   pulumi.Bool(false),
    	Forensics:                                 pulumi.Bool(false),
    	Gateways: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AllowedLabels: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	HostNetworkProtection: pulumi.Bool(false),
    	AutoDiscoveryEnabled:  pulumi.Bool(false),
    	AllowedRegistries: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AdmissionControl:              pulumi.Bool(false),
    	HostOs:                        pulumi.String("string"),
    	HostProtection:                pulumi.Bool(false),
    	HostUserProtection:            pulumi.Bool(false),
    	ImageAssurance:                pulumi.Bool(false),
    	KubeBenchImageName:            pulumi.String("string"),
    	LogicalName:                   pulumi.String("string"),
    	MicroEnforcerCertsSecretsName: pulumi.String("string"),
    	MicroEnforcerImageName:        pulumi.String("string"),
    	MicroEnforcerInjection:        pulumi.Bool(false),
    	MicroEnforcerSecretsName:      pulumi.String("string"),
    	NetworkProtection:             pulumi.Bool(false),
    	AllowedApplications: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Permission:             pulumi.String("string"),
    	HostForensics:          pulumi.Bool(false),
    	RuntimeType:            pulumi.String("string"),
    	SyncHostImages:         pulumi.Bool(false),
    	SyscallEnabled:         pulumi.Bool(false),
    	AllowKubeEnforcerAudit: pulumi.Bool(false),
    	UserAccessControl:      pulumi.Bool(false),
    })
    
    var enforcerGroupsResource = new EnforcerGroups("enforcerGroupsResource", EnforcerGroupsArgs.builder()
        .groupId("string")
        .type("string")
        .orchestrators(EnforcerGroupsOrchestratorArgs.builder()
            .master(false)
            .namespace("string")
            .serviceAccount("string")
            .type("string")
            .build())
        .hostAssurance(false)
        .riskExplorerAutoDiscovery(false)
        .antivirusProtection(false)
        .auditAll(false)
        .autoCopySecrets(false)
        .autoDiscoverConfigureRegistries(false)
        .hostBehavioralEngine(false)
        .autoScanDiscoveredImagesRunningContainers(false)
        .behavioralEngine(false)
        .blockAdmissionControl(false)
        .containerActivityProtection(false)
        .containerAntivirusProtection(false)
        .description("string")
        .enforce(false)
        .forensics(false)
        .gateways("string")
        .allowedLabels("string")
        .hostNetworkProtection(false)
        .autoDiscoveryEnabled(false)
        .allowedRegistries("string")
        .admissionControl(false)
        .hostOs("string")
        .hostProtection(false)
        .hostUserProtection(false)
        .imageAssurance(false)
        .kubeBenchImageName("string")
        .logicalName("string")
        .microEnforcerCertsSecretsName("string")
        .microEnforcerImageName("string")
        .microEnforcerInjection(false)
        .microEnforcerSecretsName("string")
        .networkProtection(false)
        .allowedApplications("string")
        .permission("string")
        .hostForensics(false)
        .runtimeType("string")
        .syncHostImages(false)
        .syscallEnabled(false)
        .allowKubeEnforcerAudit(false)
        .userAccessControl(false)
        .build());
    
    enforcer_groups_resource = aquasec.EnforcerGroups("enforcerGroupsResource",
        group_id="string",
        type="string",
        orchestrators=[aquasec.EnforcerGroupsOrchestratorArgs(
            master=False,
            namespace="string",
            service_account="string",
            type="string",
        )],
        host_assurance=False,
        risk_explorer_auto_discovery=False,
        antivirus_protection=False,
        audit_all=False,
        auto_copy_secrets=False,
        auto_discover_configure_registries=False,
        host_behavioral_engine=False,
        auto_scan_discovered_images_running_containers=False,
        behavioral_engine=False,
        block_admission_control=False,
        container_activity_protection=False,
        container_antivirus_protection=False,
        description="string",
        enforce=False,
        forensics=False,
        gateways=["string"],
        allowed_labels=["string"],
        host_network_protection=False,
        auto_discovery_enabled=False,
        allowed_registries=["string"],
        admission_control=False,
        host_os="string",
        host_protection=False,
        host_user_protection=False,
        image_assurance=False,
        kube_bench_image_name="string",
        logical_name="string",
        micro_enforcer_certs_secrets_name="string",
        micro_enforcer_image_name="string",
        micro_enforcer_injection=False,
        micro_enforcer_secrets_name="string",
        network_protection=False,
        allowed_applications=["string"],
        permission="string",
        host_forensics=False,
        runtime_type="string",
        sync_host_images=False,
        syscall_enabled=False,
        allow_kube_enforcer_audit=False,
        user_access_control=False)
    
    const enforcerGroupsResource = new aquasec.EnforcerGroups("enforcerGroupsResource", {
        groupId: "string",
        type: "string",
        orchestrators: [{
            master: false,
            namespace: "string",
            serviceAccount: "string",
            type: "string",
        }],
        hostAssurance: false,
        riskExplorerAutoDiscovery: false,
        antivirusProtection: false,
        auditAll: false,
        autoCopySecrets: false,
        autoDiscoverConfigureRegistries: false,
        hostBehavioralEngine: false,
        autoScanDiscoveredImagesRunningContainers: false,
        behavioralEngine: false,
        blockAdmissionControl: false,
        containerActivityProtection: false,
        containerAntivirusProtection: false,
        description: "string",
        enforce: false,
        forensics: false,
        gateways: ["string"],
        allowedLabels: ["string"],
        hostNetworkProtection: false,
        autoDiscoveryEnabled: false,
        allowedRegistries: ["string"],
        admissionControl: false,
        hostOs: "string",
        hostProtection: false,
        hostUserProtection: false,
        imageAssurance: false,
        kubeBenchImageName: "string",
        logicalName: "string",
        microEnforcerCertsSecretsName: "string",
        microEnforcerImageName: "string",
        microEnforcerInjection: false,
        microEnforcerSecretsName: "string",
        networkProtection: false,
        allowedApplications: ["string"],
        permission: "string",
        hostForensics: false,
        runtimeType: "string",
        syncHostImages: false,
        syscallEnabled: false,
        allowKubeEnforcerAudit: false,
        userAccessControl: false,
    });
    
    type: aquasec:EnforcerGroups
    properties:
        admissionControl: false
        allowKubeEnforcerAudit: false
        allowedApplications:
            - string
        allowedLabels:
            - string
        allowedRegistries:
            - string
        antivirusProtection: false
        auditAll: false
        autoCopySecrets: false
        autoDiscoverConfigureRegistries: false
        autoDiscoveryEnabled: false
        autoScanDiscoveredImagesRunningContainers: false
        behavioralEngine: false
        blockAdmissionControl: false
        containerActivityProtection: false
        containerAntivirusProtection: false
        description: string
        enforce: false
        forensics: false
        gateways:
            - string
        groupId: string
        hostAssurance: false
        hostBehavioralEngine: false
        hostForensics: false
        hostNetworkProtection: false
        hostOs: string
        hostProtection: false
        hostUserProtection: false
        imageAssurance: false
        kubeBenchImageName: string
        logicalName: string
        microEnforcerCertsSecretsName: string
        microEnforcerImageName: string
        microEnforcerInjection: false
        microEnforcerSecretsName: string
        networkProtection: false
        orchestrators:
            - master: false
              namespace: string
              serviceAccount: string
              type: string
        permission: string
        riskExplorerAutoDiscovery: false
        runtimeType: string
        syncHostImages: false
        syscallEnabled: false
        type: string
        userAccessControl: false
    

    EnforcerGroups Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The EnforcerGroups resource accepts the following input properties:

    GroupId string
    The ID of the Enforcer group.
    Orchestrators List<Pulumiverse.Aquasec.Inputs.EnforcerGroupsOrchestrator>
    The orchestrator for which you are creating the Enforcer group.
    Type string
    Enforcer Type.
    AdmissionControl bool
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    AllowKubeEnforcerAudit bool
    Allow kube enforcer audit.
    AllowedApplications List<string>
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    AllowedLabels List<string>
    List of label names to allow on the hosts.
    AllowedRegistries List<string>
    List of registry names to allow on the hosts.
    AntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    AuditAll bool
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    AutoCopySecrets bool
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    AutoDiscoverConfigureRegistries bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    AutoDiscoveryEnabled bool
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    AutoScanDiscoveredImagesRunningContainers bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    BehavioralEngine bool
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    BlockAdmissionControl bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    ContainerActivityProtection bool
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    ContainerAntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    Description string
    A description of the Aqua Enforcer group.
    Enforce bool
    Whether to enable enforce mode on the Enforcers, defaults to False.
    Forensics bool
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    Gateways List<string>
    List of Aqua gateway IDs for the Enforcers.
    HostAssurance bool
    Set True to enable host scanning and respective Host Assurance controls.
    HostBehavioralEngine bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    HostForensics bool
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    HostNetworkProtection bool
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    HostOs string
    The OS type for the host
    HostProtection bool
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    HostUserProtection bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    ImageAssurance bool
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    KubeBenchImageName string
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    LogicalName string
    Name for the batch install record.
    MicroEnforcerCertsSecretsName string
    This option is applicable only if Enable Pod Enforcer injection is selected.
    MicroEnforcerImageName string
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    MicroEnforcerInjection bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    MicroEnforcerSecretsName string
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    NetworkProtection bool
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    Permission string
    Permission Action
    RiskExplorerAutoDiscovery bool
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    RuntimeType string
    The container runtime environment.
    SyncHostImages bool
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    SyscallEnabled bool
    Set True will allow profiling and monitoring system calls made by running containers.
    UserAccessControl bool
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    GroupId string
    The ID of the Enforcer group.
    Orchestrators []EnforcerGroupsOrchestratorArgs
    The orchestrator for which you are creating the Enforcer group.
    Type string
    Enforcer Type.
    AdmissionControl bool
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    AllowKubeEnforcerAudit bool
    Allow kube enforcer audit.
    AllowedApplications []string
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    AllowedLabels []string
    List of label names to allow on the hosts.
    AllowedRegistries []string
    List of registry names to allow on the hosts.
    AntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    AuditAll bool
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    AutoCopySecrets bool
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    AutoDiscoverConfigureRegistries bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    AutoDiscoveryEnabled bool
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    AutoScanDiscoveredImagesRunningContainers bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    BehavioralEngine bool
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    BlockAdmissionControl bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    ContainerActivityProtection bool
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    ContainerAntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    Description string
    A description of the Aqua Enforcer group.
    Enforce bool
    Whether to enable enforce mode on the Enforcers, defaults to False.
    Forensics bool
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    Gateways []string
    List of Aqua gateway IDs for the Enforcers.
    HostAssurance bool
    Set True to enable host scanning and respective Host Assurance controls.
    HostBehavioralEngine bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    HostForensics bool
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    HostNetworkProtection bool
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    HostOs string
    The OS type for the host
    HostProtection bool
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    HostUserProtection bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    ImageAssurance bool
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    KubeBenchImageName string
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    LogicalName string
    Name for the batch install record.
    MicroEnforcerCertsSecretsName string
    This option is applicable only if Enable Pod Enforcer injection is selected.
    MicroEnforcerImageName string
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    MicroEnforcerInjection bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    MicroEnforcerSecretsName string
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    NetworkProtection bool
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    Permission string
    Permission Action
    RiskExplorerAutoDiscovery bool
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    RuntimeType string
    The container runtime environment.
    SyncHostImages bool
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    SyscallEnabled bool
    Set True will allow profiling and monitoring system calls made by running containers.
    UserAccessControl bool
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    groupId String
    The ID of the Enforcer group.
    orchestrators List<EnforcerGroupsOrchestrator>
    The orchestrator for which you are creating the Enforcer group.
    type String
    Enforcer Type.
    admissionControl Boolean
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allowKubeEnforcerAudit Boolean
    Allow kube enforcer audit.
    allowedApplications List<String>
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowedLabels List<String>
    List of label names to allow on the hosts.
    allowedRegistries List<String>
    List of registry names to allow on the hosts.
    antivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    auditAll Boolean
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    autoCopySecrets Boolean
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    autoDiscoverConfigureRegistries Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    autoDiscoveryEnabled Boolean
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    autoScanDiscoveredImagesRunningContainers Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioralEngine Boolean
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    blockAdmissionControl Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    containerActivityProtection Boolean
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    containerAntivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description String
    A description of the Aqua Enforcer group.
    enforce Boolean
    Whether to enable enforce mode on the Enforcers, defaults to False.
    forensics Boolean
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gateways List<String>
    List of Aqua gateway IDs for the Enforcers.
    hostAssurance Boolean
    Set True to enable host scanning and respective Host Assurance controls.
    hostBehavioralEngine Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostForensics Boolean
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    hostNetworkProtection Boolean
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    hostOs String
    The OS type for the host
    hostProtection Boolean
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    hostUserProtection Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    imageAssurance Boolean
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    kubeBenchImageName String
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    logicalName String
    Name for the batch install record.
    microEnforcerCertsSecretsName String
    This option is applicable only if Enable Pod Enforcer injection is selected.
    microEnforcerImageName String
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    microEnforcerInjection Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    microEnforcerSecretsName String
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    networkProtection Boolean
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    permission String
    Permission Action
    riskExplorerAutoDiscovery Boolean
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtimeType String
    The container runtime environment.
    syncHostImages Boolean
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscallEnabled Boolean
    Set True will allow profiling and monitoring system calls made by running containers.
    userAccessControl Boolean
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    groupId string
    The ID of the Enforcer group.
    orchestrators EnforcerGroupsOrchestrator[]
    The orchestrator for which you are creating the Enforcer group.
    type string
    Enforcer Type.
    admissionControl boolean
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allowKubeEnforcerAudit boolean
    Allow kube enforcer audit.
    allowedApplications string[]
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowedLabels string[]
    List of label names to allow on the hosts.
    allowedRegistries string[]
    List of registry names to allow on the hosts.
    antivirusProtection boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    auditAll boolean
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    autoCopySecrets boolean
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    autoDiscoverConfigureRegistries boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    autoDiscoveryEnabled boolean
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    autoScanDiscoveredImagesRunningContainers boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioralEngine boolean
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    blockAdmissionControl boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    containerActivityProtection boolean
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    containerAntivirusProtection boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description string
    A description of the Aqua Enforcer group.
    enforce boolean
    Whether to enable enforce mode on the Enforcers, defaults to False.
    forensics boolean
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gateways string[]
    List of Aqua gateway IDs for the Enforcers.
    hostAssurance boolean
    Set True to enable host scanning and respective Host Assurance controls.
    hostBehavioralEngine boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostForensics boolean
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    hostNetworkProtection boolean
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    hostOs string
    The OS type for the host
    hostProtection boolean
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    hostUserProtection boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    imageAssurance boolean
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    kubeBenchImageName string
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    logicalName string
    Name for the batch install record.
    microEnforcerCertsSecretsName string
    This option is applicable only if Enable Pod Enforcer injection is selected.
    microEnforcerImageName string
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    microEnforcerInjection boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    microEnforcerSecretsName string
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    networkProtection boolean
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    permission string
    Permission Action
    riskExplorerAutoDiscovery boolean
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtimeType string
    The container runtime environment.
    syncHostImages boolean
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscallEnabled boolean
    Set True will allow profiling and monitoring system calls made by running containers.
    userAccessControl boolean
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    group_id str
    The ID of the Enforcer group.
    orchestrators Sequence[EnforcerGroupsOrchestratorArgs]
    The orchestrator for which you are creating the Enforcer group.
    type str
    Enforcer Type.
    admission_control bool
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allow_kube_enforcer_audit bool
    Allow kube enforcer audit.
    allowed_applications Sequence[str]
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowed_labels Sequence[str]
    List of label names to allow on the hosts.
    allowed_registries Sequence[str]
    List of registry names to allow on the hosts.
    antivirus_protection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    audit_all bool
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    auto_copy_secrets bool
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    auto_discover_configure_registries bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    auto_discovery_enabled bool
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    auto_scan_discovered_images_running_containers bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioral_engine bool
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    block_admission_control bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    container_activity_protection bool
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    container_antivirus_protection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description str
    A description of the Aqua Enforcer group.
    enforce bool
    Whether to enable enforce mode on the Enforcers, defaults to False.
    forensics bool
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gateways Sequence[str]
    List of Aqua gateway IDs for the Enforcers.
    host_assurance bool
    Set True to enable host scanning and respective Host Assurance controls.
    host_behavioral_engine bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    host_forensics bool
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    host_network_protection bool
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    host_os str
    The OS type for the host
    host_protection bool
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    host_user_protection bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    image_assurance bool
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    kube_bench_image_name str
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    logical_name str
    Name for the batch install record.
    micro_enforcer_certs_secrets_name str
    This option is applicable only if Enable Pod Enforcer injection is selected.
    micro_enforcer_image_name str
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    micro_enforcer_injection bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    micro_enforcer_secrets_name str
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    network_protection bool
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    permission str
    Permission Action
    risk_explorer_auto_discovery bool
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtime_type str
    The container runtime environment.
    sync_host_images bool
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscall_enabled bool
    Set True will allow profiling and monitoring system calls made by running containers.
    user_access_control bool
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    groupId String
    The ID of the Enforcer group.
    orchestrators List<Property Map>
    The orchestrator for which you are creating the Enforcer group.
    type String
    Enforcer Type.
    admissionControl Boolean
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allowKubeEnforcerAudit Boolean
    Allow kube enforcer audit.
    allowedApplications List<String>
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowedLabels List<String>
    List of label names to allow on the hosts.
    allowedRegistries List<String>
    List of registry names to allow on the hosts.
    antivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    auditAll Boolean
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    autoCopySecrets Boolean
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    autoDiscoverConfigureRegistries Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    autoDiscoveryEnabled Boolean
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    autoScanDiscoveredImagesRunningContainers Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioralEngine Boolean
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    blockAdmissionControl Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    containerActivityProtection Boolean
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    containerAntivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description String
    A description of the Aqua Enforcer group.
    enforce Boolean
    Whether to enable enforce mode on the Enforcers, defaults to False.
    forensics Boolean
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gateways List<String>
    List of Aqua gateway IDs for the Enforcers.
    hostAssurance Boolean
    Set True to enable host scanning and respective Host Assurance controls.
    hostBehavioralEngine Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostForensics Boolean
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    hostNetworkProtection Boolean
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    hostOs String
    The OS type for the host
    hostProtection Boolean
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    hostUserProtection Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    imageAssurance Boolean
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    kubeBenchImageName String
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    logicalName String
    Name for the batch install record.
    microEnforcerCertsSecretsName String
    This option is applicable only if Enable Pod Enforcer injection is selected.
    microEnforcerImageName String
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    microEnforcerInjection Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    microEnforcerSecretsName String
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    networkProtection Boolean
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    permission String
    Permission Action
    riskExplorerAutoDiscovery Boolean
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtimeType String
    The container runtime environment.
    syncHostImages Boolean
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscallEnabled Boolean
    Set True will allow profiling and monitoring system calls made by running containers.
    userAccessControl Boolean
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the EnforcerGroups resource produces the following output properties:

    AquaVersion string
    Aqua server version
    Commands List<Pulumiverse.Aquasec.Outputs.EnforcerGroupsCommand>
    The installation command.
    ConnectedCount int
    Number of connected enforcers in the enforcer group.
    DisconnectedCount int
    Number of disconnected enforcers in the enforcer group.
    EnforcerImageName string
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    GatewayAddress string
    Gateway Address
    GatewayName string
    Gateway Name
    HighVulns int
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    Hostname string
    The hostname
    HostsCount int
    Number of enforcers in the enforcer group.
    Id string
    The provider-assigned unique ID for this managed resource.
    InstallCommand string
    Enforcer install command
    LastUpdate int
    The last date and time the batch token was updated in UNIX time.
    LowVulns int
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    MedVulns int
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    NegVulns int
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    PasDeploymentLink string
    pas deployment link
    RuntimePolicyName string
    Function Runtime Policy that will applay on the nano enforcer.
    Token string
    The batch install token.
    AquaVersion string
    Aqua server version
    Commands []EnforcerGroupsCommand
    The installation command.
    ConnectedCount int
    Number of connected enforcers in the enforcer group.
    DisconnectedCount int
    Number of disconnected enforcers in the enforcer group.
    EnforcerImageName string
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    GatewayAddress string
    Gateway Address
    GatewayName string
    Gateway Name
    HighVulns int
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    Hostname string
    The hostname
    HostsCount int
    Number of enforcers in the enforcer group.
    Id string
    The provider-assigned unique ID for this managed resource.
    InstallCommand string
    Enforcer install command
    LastUpdate int
    The last date and time the batch token was updated in UNIX time.
    LowVulns int
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    MedVulns int
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    NegVulns int
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    PasDeploymentLink string
    pas deployment link
    RuntimePolicyName string
    Function Runtime Policy that will applay on the nano enforcer.
    Token string
    The batch install token.
    aquaVersion String
    Aqua server version
    commands List<EnforcerGroupsCommand>
    The installation command.
    connectedCount Integer
    Number of connected enforcers in the enforcer group.
    disconnectedCount Integer
    Number of disconnected enforcers in the enforcer group.
    enforcerImageName String
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    gatewayAddress String
    Gateway Address
    gatewayName String
    Gateway Name
    highVulns Integer
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    hostname String
    The hostname
    hostsCount Integer
    Number of enforcers in the enforcer group.
    id String
    The provider-assigned unique ID for this managed resource.
    installCommand String
    Enforcer install command
    lastUpdate Integer
    The last date and time the batch token was updated in UNIX time.
    lowVulns Integer
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    medVulns Integer
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    negVulns Integer
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    pasDeploymentLink String
    pas deployment link
    runtimePolicyName String
    Function Runtime Policy that will applay on the nano enforcer.
    token String
    The batch install token.
    aquaVersion string
    Aqua server version
    commands EnforcerGroupsCommand[]
    The installation command.
    connectedCount number
    Number of connected enforcers in the enforcer group.
    disconnectedCount number
    Number of disconnected enforcers in the enforcer group.
    enforcerImageName string
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    gatewayAddress string
    Gateway Address
    gatewayName string
    Gateway Name
    highVulns number
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    hostname string
    The hostname
    hostsCount number
    Number of enforcers in the enforcer group.
    id string
    The provider-assigned unique ID for this managed resource.
    installCommand string
    Enforcer install command
    lastUpdate number
    The last date and time the batch token was updated in UNIX time.
    lowVulns number
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    medVulns number
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    negVulns number
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    pasDeploymentLink string
    pas deployment link
    runtimePolicyName string
    Function Runtime Policy that will applay on the nano enforcer.
    token string
    The batch install token.
    aqua_version str
    Aqua server version
    commands Sequence[EnforcerGroupsCommand]
    The installation command.
    connected_count int
    Number of connected enforcers in the enforcer group.
    disconnected_count int
    Number of disconnected enforcers in the enforcer group.
    enforcer_image_name str
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    gateway_address str
    Gateway Address
    gateway_name str
    Gateway Name
    high_vulns int
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    hostname str
    The hostname
    hosts_count int
    Number of enforcers in the enforcer group.
    id str
    The provider-assigned unique ID for this managed resource.
    install_command str
    Enforcer install command
    last_update int
    The last date and time the batch token was updated in UNIX time.
    low_vulns int
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    med_vulns int
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    neg_vulns int
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    pas_deployment_link str
    pas deployment link
    runtime_policy_name str
    Function Runtime Policy that will applay on the nano enforcer.
    token str
    The batch install token.
    aquaVersion String
    Aqua server version
    commands List<Property Map>
    The installation command.
    connectedCount Number
    Number of connected enforcers in the enforcer group.
    disconnectedCount Number
    Number of disconnected enforcers in the enforcer group.
    enforcerImageName String
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    gatewayAddress String
    Gateway Address
    gatewayName String
    Gateway Name
    highVulns Number
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    hostname String
    The hostname
    hostsCount Number
    Number of enforcers in the enforcer group.
    id String
    The provider-assigned unique ID for this managed resource.
    installCommand String
    Enforcer install command
    lastUpdate Number
    The last date and time the batch token was updated in UNIX time.
    lowVulns Number
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    medVulns Number
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    negVulns Number
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    pasDeploymentLink String
    pas deployment link
    runtimePolicyName String
    Function Runtime Policy that will applay on the nano enforcer.
    token String
    The batch install token.

    Look up Existing EnforcerGroups Resource

    Get an existing EnforcerGroups resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: EnforcerGroupsState, opts?: CustomResourceOptions): EnforcerGroups
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            admission_control: Optional[bool] = None,
            allow_kube_enforcer_audit: Optional[bool] = None,
            allowed_applications: Optional[Sequence[str]] = None,
            allowed_labels: Optional[Sequence[str]] = None,
            allowed_registries: Optional[Sequence[str]] = None,
            antivirus_protection: Optional[bool] = None,
            aqua_version: Optional[str] = None,
            audit_all: Optional[bool] = None,
            auto_copy_secrets: Optional[bool] = None,
            auto_discover_configure_registries: Optional[bool] = None,
            auto_discovery_enabled: Optional[bool] = None,
            auto_scan_discovered_images_running_containers: Optional[bool] = None,
            behavioral_engine: Optional[bool] = None,
            block_admission_control: Optional[bool] = None,
            commands: Optional[Sequence[EnforcerGroupsCommandArgs]] = None,
            connected_count: Optional[int] = None,
            container_activity_protection: Optional[bool] = None,
            container_antivirus_protection: Optional[bool] = None,
            description: Optional[str] = None,
            disconnected_count: Optional[int] = None,
            enforce: Optional[bool] = None,
            enforcer_image_name: Optional[str] = None,
            forensics: Optional[bool] = None,
            gateway_address: Optional[str] = None,
            gateway_name: Optional[str] = None,
            gateways: Optional[Sequence[str]] = None,
            group_id: Optional[str] = None,
            high_vulns: Optional[int] = None,
            host_assurance: Optional[bool] = None,
            host_behavioral_engine: Optional[bool] = None,
            host_forensics: Optional[bool] = None,
            host_network_protection: Optional[bool] = None,
            host_os: Optional[str] = None,
            host_protection: Optional[bool] = None,
            host_user_protection: Optional[bool] = None,
            hostname: Optional[str] = None,
            hosts_count: Optional[int] = None,
            image_assurance: Optional[bool] = None,
            install_command: Optional[str] = None,
            kube_bench_image_name: Optional[str] = None,
            last_update: Optional[int] = None,
            logical_name: Optional[str] = None,
            low_vulns: Optional[int] = None,
            med_vulns: Optional[int] = None,
            micro_enforcer_certs_secrets_name: Optional[str] = None,
            micro_enforcer_image_name: Optional[str] = None,
            micro_enforcer_injection: Optional[bool] = None,
            micro_enforcer_secrets_name: Optional[str] = None,
            neg_vulns: Optional[int] = None,
            network_protection: Optional[bool] = None,
            orchestrators: Optional[Sequence[EnforcerGroupsOrchestratorArgs]] = None,
            pas_deployment_link: Optional[str] = None,
            permission: Optional[str] = None,
            risk_explorer_auto_discovery: Optional[bool] = None,
            runtime_policy_name: Optional[str] = None,
            runtime_type: Optional[str] = None,
            sync_host_images: Optional[bool] = None,
            syscall_enabled: Optional[bool] = None,
            token: Optional[str] = None,
            type: Optional[str] = None,
            user_access_control: Optional[bool] = None) -> EnforcerGroups
    func GetEnforcerGroups(ctx *Context, name string, id IDInput, state *EnforcerGroupsState, opts ...ResourceOption) (*EnforcerGroups, error)
    public static EnforcerGroups Get(string name, Input<string> id, EnforcerGroupsState? state, CustomResourceOptions? opts = null)
    public static EnforcerGroups get(String name, Output<String> id, EnforcerGroupsState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AdmissionControl bool
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    AllowKubeEnforcerAudit bool
    Allow kube enforcer audit.
    AllowedApplications List<string>
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    AllowedLabels List<string>
    List of label names to allow on the hosts.
    AllowedRegistries List<string>
    List of registry names to allow on the hosts.
    AntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    AquaVersion string
    Aqua server version
    AuditAll bool
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    AutoCopySecrets bool
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    AutoDiscoverConfigureRegistries bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    AutoDiscoveryEnabled bool
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    AutoScanDiscoveredImagesRunningContainers bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    BehavioralEngine bool
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    BlockAdmissionControl bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    Commands List<Pulumiverse.Aquasec.Inputs.EnforcerGroupsCommand>
    The installation command.
    ConnectedCount int
    Number of connected enforcers in the enforcer group.
    ContainerActivityProtection bool
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    ContainerAntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    Description string
    A description of the Aqua Enforcer group.
    DisconnectedCount int
    Number of disconnected enforcers in the enforcer group.
    Enforce bool
    Whether to enable enforce mode on the Enforcers, defaults to False.
    EnforcerImageName string
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    Forensics bool
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    GatewayAddress string
    Gateway Address
    GatewayName string
    Gateway Name
    Gateways List<string>
    List of Aqua gateway IDs for the Enforcers.
    GroupId string
    The ID of the Enforcer group.
    HighVulns int
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    HostAssurance bool
    Set True to enable host scanning and respective Host Assurance controls.
    HostBehavioralEngine bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    HostForensics bool
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    HostNetworkProtection bool
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    HostOs string
    The OS type for the host
    HostProtection bool
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    HostUserProtection bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    Hostname string
    The hostname
    HostsCount int
    Number of enforcers in the enforcer group.
    ImageAssurance bool
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    InstallCommand string
    Enforcer install command
    KubeBenchImageName string
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    LastUpdate int
    The last date and time the batch token was updated in UNIX time.
    LogicalName string
    Name for the batch install record.
    LowVulns int
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    MedVulns int
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    MicroEnforcerCertsSecretsName string
    This option is applicable only if Enable Pod Enforcer injection is selected.
    MicroEnforcerImageName string
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    MicroEnforcerInjection bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    MicroEnforcerSecretsName string
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    NegVulns int
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    NetworkProtection bool
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    Orchestrators List<Pulumiverse.Aquasec.Inputs.EnforcerGroupsOrchestrator>
    The orchestrator for which you are creating the Enforcer group.
    PasDeploymentLink string
    pas deployment link
    Permission string
    Permission Action
    RiskExplorerAutoDiscovery bool
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    RuntimePolicyName string
    Function Runtime Policy that will applay on the nano enforcer.
    RuntimeType string
    The container runtime environment.
    SyncHostImages bool
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    SyscallEnabled bool
    Set True will allow profiling and monitoring system calls made by running containers.
    Token string
    The batch install token.
    Type string
    Enforcer Type.
    UserAccessControl bool
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    AdmissionControl bool
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    AllowKubeEnforcerAudit bool
    Allow kube enforcer audit.
    AllowedApplications []string
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    AllowedLabels []string
    List of label names to allow on the hosts.
    AllowedRegistries []string
    List of registry names to allow on the hosts.
    AntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    AquaVersion string
    Aqua server version
    AuditAll bool
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    AutoCopySecrets bool
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    AutoDiscoverConfigureRegistries bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    AutoDiscoveryEnabled bool
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    AutoScanDiscoveredImagesRunningContainers bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    BehavioralEngine bool
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    BlockAdmissionControl bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    Commands []EnforcerGroupsCommandArgs
    The installation command.
    ConnectedCount int
    Number of connected enforcers in the enforcer group.
    ContainerActivityProtection bool
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    ContainerAntivirusProtection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    Description string
    A description of the Aqua Enforcer group.
    DisconnectedCount int
    Number of disconnected enforcers in the enforcer group.
    Enforce bool
    Whether to enable enforce mode on the Enforcers, defaults to False.
    EnforcerImageName string
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    Forensics bool
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    GatewayAddress string
    Gateway Address
    GatewayName string
    Gateway Name
    Gateways []string
    List of Aqua gateway IDs for the Enforcers.
    GroupId string
    The ID of the Enforcer group.
    HighVulns int
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    HostAssurance bool
    Set True to enable host scanning and respective Host Assurance controls.
    HostBehavioralEngine bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    HostForensics bool
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    HostNetworkProtection bool
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    HostOs string
    The OS type for the host
    HostProtection bool
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    HostUserProtection bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    Hostname string
    The hostname
    HostsCount int
    Number of enforcers in the enforcer group.
    ImageAssurance bool
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    InstallCommand string
    Enforcer install command
    KubeBenchImageName string
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    LastUpdate int
    The last date and time the batch token was updated in UNIX time.
    LogicalName string
    Name for the batch install record.
    LowVulns int
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    MedVulns int
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    MicroEnforcerCertsSecretsName string
    This option is applicable only if Enable Pod Enforcer injection is selected.
    MicroEnforcerImageName string
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    MicroEnforcerInjection bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    MicroEnforcerSecretsName string
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    NegVulns int
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    NetworkProtection bool
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    Orchestrators []EnforcerGroupsOrchestratorArgs
    The orchestrator for which you are creating the Enforcer group.
    PasDeploymentLink string
    pas deployment link
    Permission string
    Permission Action
    RiskExplorerAutoDiscovery bool
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    RuntimePolicyName string
    Function Runtime Policy that will applay on the nano enforcer.
    RuntimeType string
    The container runtime environment.
    SyncHostImages bool
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    SyscallEnabled bool
    Set True will allow profiling and monitoring system calls made by running containers.
    Token string
    The batch install token.
    Type string
    Enforcer Type.
    UserAccessControl bool
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    admissionControl Boolean
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allowKubeEnforcerAudit Boolean
    Allow kube enforcer audit.
    allowedApplications List<String>
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowedLabels List<String>
    List of label names to allow on the hosts.
    allowedRegistries List<String>
    List of registry names to allow on the hosts.
    antivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    aquaVersion String
    Aqua server version
    auditAll Boolean
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    autoCopySecrets Boolean
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    autoDiscoverConfigureRegistries Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    autoDiscoveryEnabled Boolean
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    autoScanDiscoveredImagesRunningContainers Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioralEngine Boolean
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    blockAdmissionControl Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    commands List<EnforcerGroupsCommand>
    The installation command.
    connectedCount Integer
    Number of connected enforcers in the enforcer group.
    containerActivityProtection Boolean
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    containerAntivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description String
    A description of the Aqua Enforcer group.
    disconnectedCount Integer
    Number of disconnected enforcers in the enforcer group.
    enforce Boolean
    Whether to enable enforce mode on the Enforcers, defaults to False.
    enforcerImageName String
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    forensics Boolean
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gatewayAddress String
    Gateway Address
    gatewayName String
    Gateway Name
    gateways List<String>
    List of Aqua gateway IDs for the Enforcers.
    groupId String
    The ID of the Enforcer group.
    highVulns Integer
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    hostAssurance Boolean
    Set True to enable host scanning and respective Host Assurance controls.
    hostBehavioralEngine Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostForensics Boolean
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    hostNetworkProtection Boolean
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    hostOs String
    The OS type for the host
    hostProtection Boolean
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    hostUserProtection Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostname String
    The hostname
    hostsCount Integer
    Number of enforcers in the enforcer group.
    imageAssurance Boolean
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    installCommand String
    Enforcer install command
    kubeBenchImageName String
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    lastUpdate Integer
    The last date and time the batch token was updated in UNIX time.
    logicalName String
    Name for the batch install record.
    lowVulns Integer
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    medVulns Integer
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    microEnforcerCertsSecretsName String
    This option is applicable only if Enable Pod Enforcer injection is selected.
    microEnforcerImageName String
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    microEnforcerInjection Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    microEnforcerSecretsName String
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    negVulns Integer
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    networkProtection Boolean
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    orchestrators List<EnforcerGroupsOrchestrator>
    The orchestrator for which you are creating the Enforcer group.
    pasDeploymentLink String
    pas deployment link
    permission String
    Permission Action
    riskExplorerAutoDiscovery Boolean
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtimePolicyName String
    Function Runtime Policy that will applay on the nano enforcer.
    runtimeType String
    The container runtime environment.
    syncHostImages Boolean
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscallEnabled Boolean
    Set True will allow profiling and monitoring system calls made by running containers.
    token String
    The batch install token.
    type String
    Enforcer Type.
    userAccessControl Boolean
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    admissionControl boolean
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allowKubeEnforcerAudit boolean
    Allow kube enforcer audit.
    allowedApplications string[]
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowedLabels string[]
    List of label names to allow on the hosts.
    allowedRegistries string[]
    List of registry names to allow on the hosts.
    antivirusProtection boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    aquaVersion string
    Aqua server version
    auditAll boolean
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    autoCopySecrets boolean
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    autoDiscoverConfigureRegistries boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    autoDiscoveryEnabled boolean
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    autoScanDiscoveredImagesRunningContainers boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioralEngine boolean
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    blockAdmissionControl boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    commands EnforcerGroupsCommand[]
    The installation command.
    connectedCount number
    Number of connected enforcers in the enforcer group.
    containerActivityProtection boolean
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    containerAntivirusProtection boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description string
    A description of the Aqua Enforcer group.
    disconnectedCount number
    Number of disconnected enforcers in the enforcer group.
    enforce boolean
    Whether to enable enforce mode on the Enforcers, defaults to False.
    enforcerImageName string
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    forensics boolean
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gatewayAddress string
    Gateway Address
    gatewayName string
    Gateway Name
    gateways string[]
    List of Aqua gateway IDs for the Enforcers.
    groupId string
    The ID of the Enforcer group.
    highVulns number
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    hostAssurance boolean
    Set True to enable host scanning and respective Host Assurance controls.
    hostBehavioralEngine boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostForensics boolean
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    hostNetworkProtection boolean
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    hostOs string
    The OS type for the host
    hostProtection boolean
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    hostUserProtection boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostname string
    The hostname
    hostsCount number
    Number of enforcers in the enforcer group.
    imageAssurance boolean
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    installCommand string
    Enforcer install command
    kubeBenchImageName string
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    lastUpdate number
    The last date and time the batch token was updated in UNIX time.
    logicalName string
    Name for the batch install record.
    lowVulns number
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    medVulns number
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    microEnforcerCertsSecretsName string
    This option is applicable only if Enable Pod Enforcer injection is selected.
    microEnforcerImageName string
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    microEnforcerInjection boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    microEnforcerSecretsName string
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    negVulns number
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    networkProtection boolean
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    orchestrators EnforcerGroupsOrchestrator[]
    The orchestrator for which you are creating the Enforcer group.
    pasDeploymentLink string
    pas deployment link
    permission string
    Permission Action
    riskExplorerAutoDiscovery boolean
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtimePolicyName string
    Function Runtime Policy that will applay on the nano enforcer.
    runtimeType string
    The container runtime environment.
    syncHostImages boolean
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscallEnabled boolean
    Set True will allow profiling and monitoring system calls made by running containers.
    token string
    The batch install token.
    type string
    Enforcer Type.
    userAccessControl boolean
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    admission_control bool
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allow_kube_enforcer_audit bool
    Allow kube enforcer audit.
    allowed_applications Sequence[str]
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowed_labels Sequence[str]
    List of label names to allow on the hosts.
    allowed_registries Sequence[str]
    List of registry names to allow on the hosts.
    antivirus_protection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    aqua_version str
    Aqua server version
    audit_all bool
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    auto_copy_secrets bool
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    auto_discover_configure_registries bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    auto_discovery_enabled bool
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    auto_scan_discovered_images_running_containers bool
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioral_engine bool
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    block_admission_control bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    commands Sequence[EnforcerGroupsCommandArgs]
    The installation command.
    connected_count int
    Number of connected enforcers in the enforcer group.
    container_activity_protection bool
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    container_antivirus_protection bool
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description str
    A description of the Aqua Enforcer group.
    disconnected_count int
    Number of disconnected enforcers in the enforcer group.
    enforce bool
    Whether to enable enforce mode on the Enforcers, defaults to False.
    enforcer_image_name str
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    forensics bool
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gateway_address str
    Gateway Address
    gateway_name str
    Gateway Name
    gateways Sequence[str]
    List of Aqua gateway IDs for the Enforcers.
    group_id str
    The ID of the Enforcer group.
    high_vulns int
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    host_assurance bool
    Set True to enable host scanning and respective Host Assurance controls.
    host_behavioral_engine bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    host_forensics bool
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    host_network_protection bool
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    host_os str
    The OS type for the host
    host_protection bool
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    host_user_protection bool
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostname str
    The hostname
    hosts_count int
    Number of enforcers in the enforcer group.
    image_assurance bool
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    install_command str
    Enforcer install command
    kube_bench_image_name str
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    last_update int
    The last date and time the batch token was updated in UNIX time.
    logical_name str
    Name for the batch install record.
    low_vulns int
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    med_vulns int
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    micro_enforcer_certs_secrets_name str
    This option is applicable only if Enable Pod Enforcer injection is selected.
    micro_enforcer_image_name str
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    micro_enforcer_injection bool
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    micro_enforcer_secrets_name str
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    neg_vulns int
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    network_protection bool
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    orchestrators Sequence[EnforcerGroupsOrchestratorArgs]
    The orchestrator for which you are creating the Enforcer group.
    pas_deployment_link str
    pas deployment link
    permission str
    Permission Action
    risk_explorer_auto_discovery bool
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtime_policy_name str
    Function Runtime Policy that will applay on the nano enforcer.
    runtime_type str
    The container runtime environment.
    sync_host_images bool
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscall_enabled bool
    Set True will allow profiling and monitoring system calls made by running containers.
    token str
    The batch install token.
    type str
    Enforcer Type.
    user_access_control bool
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
    admissionControl Boolean
    Selecting this option will allow the KubeEnforcer to block the deployment of container images that have failed any of these Container Runtime Policy controls:
    * Block Non-Compliant Images
    * Block Non-Compliant Workloads
    * Block Unregistered Images
    This functionality can work only when the KubeEnforcer is deployed in Enforce mode.
    allowKubeEnforcerAudit Boolean
    Allow kube enforcer audit.
    allowedApplications List<String>
    List of application names to allow on the hosts. if provided, only containers of the listed applications will be allowed to run.
    allowedLabels List<String>
    List of label names to allow on the hosts.
    allowedRegistries List<String>
    List of registry names to allow on the hosts.
    antivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Host Runtime policies.
    aquaVersion String
    Aqua server version
    auditAll Boolean
    Agent will send extra audit messages to the server for success operations from inside the container (runtime).
    autoCopySecrets Boolean
    This option is applicable only if Enable Pod Enforcer injection is selected. Select this option if you want Aqua Enterprise to copy the secrets defined above to the Pod Enforcer namespace and container. Otherwise, you can choose to copy these secrets by other means.
    autoDiscoverConfigureRegistries Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua.
    autoDiscoveryEnabled Boolean
    When this option is selected, the KubeEnforcer will discover workloads on its cluster.
    autoScanDiscoveredImagesRunningContainers Boolean
    This option is available only if Enable workload discovery is selected. If selected, the KubeEnforcer will automatically register images running as workloads (and scan the discovered images for security issues).
    behavioralEngine Boolean
    Select Enabled to detect suspicious activity in your containers and display potential security threats in the Incidents and Audit pages.
    blockAdmissionControl Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    commands List<Property Map>
    The installation command.
    connectedCount Number
    Number of connected enforcers in the enforcer group.
    containerActivityProtection Boolean
    Set True to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
    containerAntivirusProtection Boolean
    This setting is available only when you have license for Advanced Malware Protection. Send true to make use of the license and enable the Real-time Malware Protection control in the Container Runtime policies.
    description String
    A description of the Aqua Enforcer group.
    disconnectedCount Number
    Number of disconnected enforcers in the enforcer group.
    enforce Boolean
    Whether to enable enforce mode on the Enforcers, defaults to False.
    enforcerImageName String
    The specific Aqua Enforcer product image (with image tag) to be deployed.
    forensics Boolean
    Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
    gatewayAddress String
    Gateway Address
    gatewayName String
    Gateway Name
    gateways List<String>
    List of Aqua gateway IDs for the Enforcers.
    groupId String
    The ID of the Enforcer group.
    highVulns Number
    Number of high vulnerabilities in the enforcers that in this enforcer group.
    hostAssurance Boolean
    Set True to enable host scanning and respective Host Assurance controls.
    hostBehavioralEngine Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostForensics Boolean
    Select Enabled to send activity logs in your host to the Aqua Server for forensics purposes.
    hostNetworkProtection Boolean
    Set True to apply Firewall Policies to hosts, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information
    hostOs String
    The OS type for the host
    hostProtection Boolean
    Set True to enable all Host Runtime Policy controls except for OS Users and Groups Allowed and OS Users and Groups Blocked.
    hostUserProtection Boolean
    Set True to enable these Host Runtime Policy controls: OS Users and Groups Allowed and OS Users and Groups Blocked
    hostname String
    The hostname
    hostsCount Number
    Number of enforcers in the enforcer group.
    imageAssurance Boolean
    Set True to enable selected controls: Container Runtime Policy (Block Non-Compliant Images, Block Unregistered Images, and Registries Allowed) and Default Image Assurance Policy (Images Blocked).
    installCommand String
    Enforcer install command
    kubeBenchImageName String
    See https://docs.aquasec.com/docs/securing-kubernetes-applications#section-configuration-hardening, The KubeEnforcer can deploy the Aqua Security kube-bench open-source product to perform Kubernetes CIS benchmark testing of nodes. This field specifies the path and file name of the kube-bench product image for the KubeEnforcer to deploy; it will be filled in automatically. You can optionally enter a different value.
    lastUpdate Number
    The last date and time the batch token was updated in UNIX time.
    logicalName String
    Name for the batch install record.
    lowVulns Number
    Number of low vulnerabilities in the enforcers that in this enforcer group.
    medVulns Number
    Number of medium vulnerabilities in the enforcers that in this enforcer group.
    microEnforcerCertsSecretsName String
    This option is applicable only if Enable Pod Enforcer injection is selected.
    microEnforcerImageName String
    This option is applicable only if Enable Pod Enforcer injection is selected. This field specifies the path and file name of the KubeEnforcer product image to be deployed; it will be filled in automatically. You can optionally enter a different value.
    microEnforcerInjection Boolean
    This applies only if both Enable admission control and Enforce mode are set. This additional option must be selected for admission control to work if the KubeEnforcer is not connected to any Gateway. If this option is not selected, admission control will be disabled; this will have no effect on containers already running.
    microEnforcerSecretsName String
    You can specify the name of the secret (in the Aqua namespace) that Aqua copies into the Pod Enforcer namespace and kube-bench, allowing them access to the Pod Enforcer and kube-bench product images, respectively.
    negVulns Number
    Number of negligible vulnerabilities in the enforcers that in this enforcer group.
    networkProtection Boolean
    Send true to apply Firewall Policies to containers, and allow recording network maps for Aqua services. The Network Firewall setting must be disabled when deploying the Aqua Enforcer on a machine running Rocky Linux. See https://docs.aquasec.com/docs/platform-support-limitations-rocky-linux for further information.
    orchestrators List<Property Map>
    The orchestrator for which you are creating the Enforcer group.
    pasDeploymentLink String
    pas deployment link
    permission String
    Permission Action
    riskExplorerAutoDiscovery Boolean
    Set True to allow Enforcers to be discovered in the Risk Explorer.
    runtimePolicyName String
    Function Runtime Policy that will applay on the nano enforcer.
    runtimeType String
    The container runtime environment.
    syncHostImages Boolean
    Set True to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
    syscallEnabled Boolean
    Set True will allow profiling and monitoring system calls made by running containers.
    token String
    The batch install token.
    type String
    Enforcer Type.
    userAccessControl Boolean
    Set True to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUARUNCINTERCEPTION environment variable set to 0 in order to use User Access Control Policies.

    Supporting Types

    EnforcerGroupsCommand, EnforcerGroupsCommandArgs

    Default string
    Kubernetes string
    Swarm string
    Windows string
    Default string
    Kubernetes string
    Swarm string
    Windows string
    default_ String
    kubernetes String
    swarm String
    windows String
    default string
    kubernetes string
    swarm string
    windows string
    default String
    kubernetes String
    swarm String
    windows String

    EnforcerGroupsOrchestrator, EnforcerGroupsOrchestratorArgs

    Master bool
    Namespace string
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    ServiceAccount string
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    Type string
    Master bool
    Namespace string
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    ServiceAccount string
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    Type string
    master Boolean
    namespace String
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    serviceAccount String
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    type String
    master boolean
    namespace string
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    serviceAccount string
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    type string
    master bool
    namespace str
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    service_account str
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    type str
    master Boolean
    namespace String
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    serviceAccount String
    May be specified for these orchestrators: Kubernetes, Kubernetes GKE, OpenShift, VMware Tanzu Kubernetes Grid Integrated Edition (PKS).
    type String

    Package Details

    Repository
    aquasec pulumiverse/pulumi-aquasec
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aquasec Terraform Provider.
    aquasec logo
    Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse